using IdentityModel;
using IdentityServer4.Models;
using System.Collections.Generic;

namespace Idp_Login
{
    public partial class Config
    {
        /// <summary>
        /// 定义API资源 可以理解成资源服务器的别名
        /// 比如 order 服务(站点) 我可以定义为 order API资源.
        /// 那 访问order 服务(站点)时,我需要有 order API资源的访问权限(这个在client中配置)
        /// </summary>
        /// <returns></returns>
        public static IEnumerable<ApiResource> GetApiResources()
        {
            //注: 当 ApiResource 的第三个参数 claimTypes 为null 或 count ==0 时,
            //CustomProfileService 类 的 context.RequestedClaimTypes.Any() /*有请求Claim信息*/   这里就为false 

            //可访问的API资源(资源名，资源描述,这个资源需要的claims)
            var apis = new List<ApiResource>();
            apis.AddRange(Config_ApiResources_Demo.GetApiResources());

            //基于角色的控制 
            //https://www.cnblogs.com/stulzq/p/8726002.html  
            // simple API with a single scope (in this case the scope name is the same as the api name)
            {
                var api = new ApiResource(
                    name: "api1",
                    displayName: "Some API 1",
                    userClaims: new List<string>() {
                        JwtClaimTypes.Role ,

                         //IdentityModel.JwtClaimTypes.Role,
                         //IdentityModel.JwtClaimTypes.NickName,
                         //"eMail"
                    }
                );

                //id4 v4 中 出现下面错误,添加下面这行代码
                //IdentityServerAccessToken was not authenticated. Failure message: IDX10214: Audience validation failed.Audiences: 'System.String'.Did not match: validationParameters.ValidAudience: 'System.String' or validationParameters.ValidAudiences: 'System.String'.
                api.Scopes.Add("api1");//添加这个就好了


                apis.Add(api);
            }

            apis.Add(new ApiResource("api3", "Some API 3"));
            apis.Add(new ApiResource("good", "good Service"));
            apis.Add(new ApiResource("order", "order Service"));
            apis.Add(new ApiResource("UserApi", "用户获取API", new List<string>() { IdentityModel.JwtClaimTypes.Role, "eMail" }));

            // expanded version if more control is needed
            apis.Add(new ApiResource
            {
                Name = "api2",

                // secret for using introspection endpoint
                ApiSecrets =
                {
                    new Secret("secret".Sha256())
                },

                // include the following using claims in access token (in addition to subject id)
                UserClaims = { JwtClaimTypes.Name, JwtClaimTypes.Email },

                #region v4的 ApiResource 的 Scope 正式独立出来为 ApiScope 对象
                // this API defines two scopes

                //Scopes =
                //{
                //    new Scope()
                //    {
                //        Name = "api2.full_access",
                //        DisplayName = "Full access to API 2",
                //    },
                //    new Scope
                //    {
                //        Name = "api2.read_only",
                //        DisplayName = "Read only access to API 2"
                //    }
                //}, 
                #endregion

            });

            return apis;
        }
    }
}
